Contents

Title and Copyright Information

Send Us Your Comments

Preface

Part I Oracle Advanced Security Features

1 Introduction to Oracle Advanced Security

About Oracle Advanced Security

Network Security in a Distributed Environment

Security Threats

Oracle Advanced Security Features

Data Privacy

Data Integrity

Authentication

Single Sign-On

Authorization

Oracle Advanced Security Architecture

Secure Data Transfer Across Network Protocol Boundaries

System Requirements

Oracle Configuration for Network Authentication

Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora

Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE

Setting OS_AUTHENT_PREFIX to a Null Value

Oracle Advanced Security Restrictions

2 Configuring Data Encryption and Integrity

Oracle Advanced Security Encryption

Domestic and Export Editions

DES Algorithm for Standards-Based Encryption

DES40 Algorithm for Backwards Compatibility

RSA RC4 Algorithm for High Speed Encryption

RC4_128 for Domestic Customers

RC4_40 and RC4_56 for International Customers

Triple-DES Support in SSL

Oracle Advanced Security Data Integrity

Types of Attacks

Data Integrity Algorithms Supported

Diffie-Hellman-Based Key Management

Overview of Site-Specific Diffie-Hellman Encryption Enhancement

Overview of Authentication Key Fold-in Encryption Enhancement

Configuring Data Encryption and Integrity

Activating Encryption and Integrity

Negotiating Encryption and Integrity

Setting Encryption and Integrity Parameters Using Net8 Assistant

3 Thin JBDC Support

About the Java Implementation

JDBC Support

Securing Thin JDBC

Implementation Overview

Obfuscation

Configuration Parameters

4 Configuring RADIUS Authentication

RADIUS Overview

RADIUS Authentication Modes

Synchronous Authentication Mode

Challenge-Response (Asynchronous) Authentication Mode

Enabling RADIUS Authentication and Accounting

Task 1: Install RADIUS on the Oracle Server and on the Oracle Client

Task 2: Configure RADIUS Authentication

Task 3: Add the RADIUS Client Name to the RADIUS Server Database

Task 4: Create a User and Grant Access

Task 5: Configure RADIUS Accounting

Task 6: Configure the Authentication Server for Use with RADIUS

Task 7: Configure the RADIUS Server for Use with the Authentication Server

Task 8: Create and Grant Roles

Logging on to the Database

5 Configuring CyberSafe Authentication

Enabling CyberSafe Authentication

Task 1: Install the CyberSafe Server

Task 2: Install the CyberSafe TrustBroker Client

Task 3: Install the CyberSafe Application Security Toolkit

Task 4: Configure a Service Principal for an Oracle Server

Task 5: Extract the Service Table from CyberSafe

Task 6: Install an Oracle Server

Task 7: Install Oracle Advanced Security With CyberSafe

Task 8: Configure Net8 and Oracle on the Server and Client

Task 9: Configure CyberSafe Authentication

Task 10: Create a CyberSafe User on the Authentication Server

Task 11: Create an Externally Authenticated Oracle User on the Oracle Server

Task 12: Get the Initial Ticket for the CyberSafe/Oracle User

Task 13: Connect to an Oracle Server Authenticated by CyberSafe

Troubleshooting the Configuration of the CyberSafe Authentication Adapter

6 Configuring Kerberos Authentication

Enabling Kerberos Authentication

Task 1: Install Kerberos

Task 2: Configure a Service Principal for an Oracle Server

Task 3: Extract a Service Table from Kerberos

Task 4: Install an Oracle Server and an Oracle Client

Task 5: Install Net8 and Oracle Advanced Security

Task 6: Configure Net8 and Oracle

Task 7: Configure Kerberos Authentication

Task 8: Create a Kerberos User

Task 9: Create an Externally-Authenticated Oracle User

Task 10: Get an Initial Ticket for the Kerberos/Oracle User

Utilities for the Kerberos Authentication Adapter

Use okinit to Obtain the Initial Ticket

Use oklist to Display Credentials

Use okdstry to Remove Credentials from Cache File

Connecting to an Oracle Server Authenticated by Kerberos

Troubleshooting the Configuration of Kerberos Authentication

7 Configuring SecurID Authentication

System Requirements

Known Limitations

Enabling SecurID Authentication

Task 1: Register Oracle as a SecurID Client

Task 2: Install Oracle Advanced Security

Task 3: Ensure that Oracle Can Find the Correct UDP Port

Task 4: Configure Oracle as a SecurID Client

Task 5: Configure SecurID Authentication

Creating Users for SecurID Authentication

Task 1: Assign a Card Using Security Dynamics sdadmin Program

Task 2: Create an Oracle Server Account for the User

Task 3: Grant the User Database Privileges

Using SecurID Authentication

Logging On to the Oracle Server

Assigning a New PIN to a SecurID Card

Logging on When the SecurID Card is in "Next Code" Mode

Troubleshooting the Configuration of SecurID Authentication

8 Configuring Identix Biometric Authentication

Overview

Architecture of the Biometric Authentication Service

Administration Architecture

Authentication Architecture

Prerequisites

Installing the TouchSafe II Encrypt Device Driver for Windows NT

Biometric Manager PC

Client PC

Database Server

Biometric Authentication Service

Enabling Biometric Authentication

Task 1: Configure the Database Server that is to become the Authentication Server

Task 2: Configure Identix Authentication

Task 3: Establish a Net Service Name for the Fingerprint Repository Server

Task 4: Verify that the Address of the Database Server is Accessible to the Client

Task 5: Configure the Biometric Manager PC

Administering the Biometric Authentication Service

Create a Hashkey on Each of the Clients:

Authenticating Users with a Biometric Authentication Service

Troubleshooting

9 Configuring DCE GSSAPI Authentication

Configuring DCE GSSAPI Authentication

Task 1: Create the DCE Principal

Task 2: Configure the New DCE Principal and Enable DCE GSSAPI Authentication

Task 3: Set up the Account for Authenticating to the Database

Task 4: Connect to an Oracle Server using DCE GSSAPI Authentication

10 Configuring Secure Socket Layer Authentication

SSL In an Oracle Environment

What You Can Do with SSL

Architecture of SSL in an Oracle Environment

Components of SSL in an Oracle Environment

How SSL Works in an Oracle Environment: The SSL Handshake

SSL Beyond an Oracle Environment

SSL Combined with Other Authentication Methods

Architecture of SSL Combined with Other Authentication Methods

Using SSL Combined with Other Oracle Authentication Methods

Issues When Using SSL

Enabling SSL

Task 1: Install Oracle Advanced Security and Related Products

Task 2: Configure SSL on the Client

Task 3: Configure SSL on the Server

Task 4: Log on to the Database

11 Choosing and Combining Authentication Methods

Connecting with User Name and Password

Disabling Oracle Advanced Security Authentication

Configuring Oracle For Multiple Authentication Methods

Part II Oracle DCE Integration

12 Overview of Oracle DCE Integration

System Requirements

Backward Compatibility

Overview of Distributed Computing Environment (DCE)

Overview of Oracle DCE Integration

Components of Oracle DCE Integration

Flexible DCE Deployment

Release Limitations

13 Configuring DCE for Oracle DCE Integration

Task 1: Create New Principals and Accounts

Task 2: Install the Key of the Server into a Keytab File

Task 3: Configure DCE CDS for Use by Oracle DCE Integration

Give Servers Permission to Create Objects in the CDS Namespace

Load Oracle Service Names into CDS

14 Configuring Oracle for Oracle DCE Integration

DCE Address Parameters

Configuring the Server

Creating and Naming Externally-Authenticated Accounts

Setting up DCE Integration External Roles

Connecting to an Oracle Database as SYSDBA or SYSOPER Using DCE

Configuring the Client

Parameters in protocol.ora

Configuring Clients to Use DCE CDS Naming

Enable CDS for use in Performing Name Lookup

Modify the CDS Attributes File and Restart the CDS

Create a tnsnames.ora File for Loading Oracle Connect Descriptors into CDS

Load Oracle Connect Descriptors into CDS

Delete or Rename the tnsnames.ora File

Modify the sqlnet.ora File to Resolve Names in CDS

Connect to Oracle Servers in DCE

15 Connecting to an Oracle Database in DCE

Starting the Listener

Connecting to an Oracle Database Server in the DCE Environment

Method 1

Method 2

16 DCE and Non-DCE Interoperability

Connecting Clients Outside DCE to Oracle Servers in DCE

Sample Parameter Files

The listener.ora File

The tnsnames.ora File

Using tnsnames.ora for Name Lookup When CDS Is Inaccessible

SQL*Net Release 2.2 and Earlier

SQL*Net Release 2.3 and Net8

Part III Oracle8i Security/Directory Integration

17 Managing Enterprise User Security

Overview of Enterprise User Security

About Directories

Elements of Enterprise User Security Management

Architecture of Enterprise User Security Management

How Enterprise User Security Management Works

User/Schema Separation

Setting Up User/Schema Separation

User/Schema Separation Functionality and SSL

Creating a Shared Schema

Creating an Enterprise User in the Directory

Mapping an Enterprise User to a Shared Schema

Summary

Current User Database Links

Oracle Enterprise User Security Components

Oracle Wallet Manager

Oracle Enterprise Login Assistant

Oracle Enterprise Security Manager

Oracle Internet Directory

Installing and Configuring Enterprise User Security

Task 1: Install or Identify a Certificate Service

Task 2: Install and Configure a Directory Service

Task 3: Install and Configure One or More Databases

Task 4: Configure Database Clients

Task 5: Install and Configure Oracle Enterprise Security Manager

Task 6: Create and Configure Enterprise Users

Task 7: Log In as the Enterprise User

Troubleshooting Enterprise User Login

18 Using Oracle Wallet Manager

Overview

Security Concepts

Using Oracle Wallet Manager with Oracle Application Server

Starting Oracle Wallet Manager

Managing Wallets

Creating a New Wallet

Opening an Existing Wallet

Closing a Wallet

Saving Changes

Saving the Open Wallet to a New Location

Saving in System Default

Deleting the Wallet

Changing the Password

Using Auto Login

Managing Certificates

Managing User Certificates

Managing Trusted Certificates

19 Oracle Enterprise Login Assistant

About Oracle Enterprise Login Assistant

Starting Oracle Enterprise Login Assistant

Enabling Automatic Login

Disabling Automatic Login

Changing a Wallet Password

20 Using Oracle Enterprise Security Manager

Introduction

Installing and Configuring Oracle Enterprise Security Manager

Task 1: Install Oracle Enterprise Security Manager

Task 2: Configure Oracle Enterprise Security Manager

Task 3: Start Oracle Enterprise Security Manager

Task 4: Log Into the Directory

Navigating Oracle Enterprise Security Manager

Changing a Search Base

Browsing the Directory

Administering Enterprise Databases, Domains, and Users

Administering Databases

Administering Enterprise Domains

Administering Enterprise Users

Managing Security Administrators

Part IV Appendixes

A Data Encryption and Integrity Parameters

Sample sqlnet.ora File

Data Encryption and Integrity Parameters

Server Encryption Level Setting

Client Encryption Level Setting

Server Encryption Selected List

Client Encryption Selected List

Server Integrity Level Setting

Client Integrity Level Setting

Server Integrity Selected List

Client Integrity Selected List

Client Profile Encryption

B Authentication Parameters

Parameters for Clients and Servers using CyberSafe Authentication

Parameters for Clients and Servers using Identix Authentication

sqlnet.ora File Parameters

Recommended Minimum Sets of Identix Parameters

Parameters for Clients and Servers using Kerberos Authentication

Parameters for Clients and Servers using SecurID Authentication

Parameters for Clients and Servers using RADIUS Authentication

sqlnet.ora File Parameters

Recommended Minimum Sets of RADIUS Parameters

Initialization File Parameters

Parameters for Clients and Servers using SSL

Authentication Parameters

Cipher Suites

SSL Version

SSL Client Authentication

Wallet Location

C Integrating Authentication Devices Using RADIUS

About the RADIUS Challenge-Response User Interface

Customizing the RADIUS Challenge-Response User Interface

D Oracle Advanced Security FIPS 140-1 Settings

Configuration Parameters

Server Encryption Level Setting

Client Encryption Level Setting

Server Encryption Selection List

Client Encryption Selection List

Cryptographic Seed Value

FIPS Parameter

Post Installation Checks

Status Information

E LDAP Directory Schema for Oracle Database Security

Structural Object Classes

Attributes

Access Controls

F Oracle Implementation of Java SSL

Oracle Java SSL Features

SSL Cipher Suite Supported in Oracle Java SSL

Certificate and Key Management with Oracle Wallet Manager

Oracle Java SSL Examples

Prerequisites

SecureHelloServer Program

SecureHelloClient Program

Firewall Tunnelling Program Using the SSL Socket

Class Hierarchy for Extensions to the Java SSL Package

Interface Hierarchy

oracle.security.ssl

oracle.security.cert

Glossary

Index